Posted
by
Cliff
on Monday November 17, 2003 @06:58PM
from the transforming-teacher's-pet-into-pet-peeve dept.

Durindana writes "My law school has decided using the Exam4 software from Extegrity, thinking it would be a good idea. I disagree; the software can only be used by students on their own laptops, and (of course) Exam4 is mono-platform. Anyone have experience using this software (e.g. security level, reliability) or, hopefully, successfully opposing its use? It strikes me as a hell of a disadvantage to students who'd like an alternative to hand-writing but - for some strange reason - don't own a Windows laptop."

If you are running the software on your own laptop, then you don't need to care about 'vulnerabilities'. It's your laptop so you can run what you like on it anyway! For example, run the exam software in a VMware virtual machine or under a debugger. If you demonstrate this point to the exam organizers I'm sure they will rethink their plan.

To do online exams you need to control the PCs being used, as done with Lexis [ic.ac.uk].

That's funny, because it looks like you lifted the policy that you quoted from The University of Maryland's Law School Policy [umaryland.edu].
I think it's no coincidence that this is the first link that shows up when you search in Google for exam4 policy [google.com]. Do not follow the advice of the original poster - it is bogus advice and he is lying. He is most definitely is not in "dental school" and does not use Exam4.
He is making up crap like this to get extra karma, which is kind

Unless I'm missing something, this is hillarious. The way I read it, his law school is forcing everyone to get a Windows laptop to be able to run some exam software. The implications of this are fun to think about. For one, by forcing everyone on a single platform, the law school seems to be going against the Microsoft antitrust rulling. Secondly, doesn't using "exam software" on people's personal computers seem a little insecure? How long until someone brute forces all the multiple choice questions?

The worst part is how trivially easy it usually is to get to a command prompt under Win2K. I am no-longer at school but I did work at an establishment with a stupidly locked down network for some time and coming up with all sorts of tricks such as adding "cmd.exe" as a favourite using the Word "Save As..." dialog box then calling it up in Internet Explorer and watching it run...

My wife is applying to law school this year, and we've run into the same questions. Do we get her a powerbook now, and hope that her preferred school (U. Washington) continues to not use the software, or do we wait until school is about to start before we decide? Granted, we're now waiting because she got a new desktop machine and I can't afford to get her a laptop, but the question is still out there.

On the "disadvantage" side of things, exam4 looks particularly bad. Other pages allow students access

I'm in law school now, and one thing you can count on is that everyone else is running Windows, and 99% of them are taking notes in Word (I've run into a few people who use WordPerfect).

In fact, law school is yet another place that being a Linux geek does not help you. When someone wants to borrow notes, you can bet that they're not gonna want yours, as yours aren't in Word format. This isn't so bad, except that of course, when it comes time for you to grab notes from someone else, your options may be l

Beyond law school, any firm that your wife works for is going to run Windows, she's gonna have to do Word documents, there's no way around it. Short of working for yourself, the law world works with Windows and Word. Even when working for yourself, you can believe that any software you want to use for billing, forms, etc. will be Windows-based.

Just to pick nits, I worked IT at a law firm in southern Connecticut for three years, and during that time they used Macs on the desktop, and

When someone wants to borrow notes, you can bet that they're not gonna want yours, as yours aren't in Word format.

Uh, you're taking notes with such heavy formating that you can't export to plain text (or at least RTF)? Damn, you must type and mouse fast to be able to do that.
(I can't type fast enough to make taking notes on a keyboard any where near practical, much less take notes with heavy formatting.)

I've also encountered Extegrity's product, which is required at my law school. It does have at least rudimentary protection against the most obvious workarounds - when I tried to run it within VMWare, it "failed security check" and refused to operate. I'm not sure how exactly it checks to see if it's running in a virtualized environment - one project I have on my back-burner is to see how well it deals with bochs [sourceforge.net].

I'm also the proud owner of a PowerBook. My solution was to trade some other computer gear for a big old PC laptop with a mostly-dead battery that meets the system requirements. I plan to use that laptop only for taking exams. Aside from exams, my school is fairly platform-agnostic: papers are turned in on paper, and the only electronic interaction with professors is via email. The one kink that I have run into is profs and fellow students who insist on sharing their academic insight via Word.doc files. OpenOffice hasn't failed me yet, though, and of course Word for the Mac exists and is frequently available at a steep discount to students.

As someone who also develops examination software, and who is doing academic research into computer security, I have to say that this is a ridiculous idea. Aside from requiring people to have specific hardware and purchase specific (pricey, but I guess they're law students...) software, the security issues here are horrendous.

The *only* ways to do this kind of thing is either have the software running on trusted hardware like a previously set up computer lab, or run the software on a trusted server and give the *untrusted* clients only a thin-client (citrix/ts/vnc/web browser). AND you have to have someone supervising them to make sure they've smuggled no notes in and aren't cut'n'pasting from another app.

Surely a law school, of all places, would have someone who knows a bit about information security on staff?

This software looks like exactly the kind of product developed by someone with no security training outside Microsofts VB tutorials.

Exactly the kind of software not to use for anything important - and Exams at Law School are important - there is a huge amount of money and future careers involved.

No matter how great the software is, it will still be running on a platform which can have problems (no matter what OS). I'm surprised that nobody is manufacturing small wireless devices solely for taking such tests. Make them cheap enough that the school could afford to buy them for everyone and hand them out before each exam. Student logs in, registers answers. Wouldn't be difficult to transmit results as you go, so in the event of a hardware or network failure, no information would be lost. Grab another

Just hope they have some decent authentication/encryption mechanism for the wireless transmission (yeah, I know you already mentioned encryption), or else someone sitting outside with a laptop and airsnort/kismet/ethereal/whatever will get all the answers. This is especially bad if said person will be taking the same exam in the next day or so.

If integrity is right behavior due to moral values within, extegrity is right behavior due to a system of rules imposed from without. Sounds about like what the product they're hawking is for.

That's an interesting take. I guess that means that if you have strict principles that guide your behavior, you have a lot of integrity; but if you are simply a law-abiding person with few principles, you have a lot of extegrity...:)

When I was going to school, the Sys Admin had a special enviornment setup on the Solaris server, that had very minimal tools. We would use a thin client to get access (new accounts too) to the resources to do the exam. The exams were 4 hours and we did not have any previous time with the enviornment. Worked good, if you spent any time trying to find ways around the system, you just ate into the exam time.

Don't law schools often require or subsidise the purchase of a specific supported laptop, for precisely this kind of reason? If the students don't have windows laptops, or laptops at all, how can they be expected to take tests at all?

Since their entire website is written by a marketriod (UltraSecure mode), to be read by paraniod school administrators, you can bet this software is all hype, no substance. It will be cracked 10 minutes after a school announces it will be used. They may have some success running it securily in a supervised computer lab, but if students are expected to install it on their home computers or in an open lab, good luck.

Running software on untrusted hardware can never really be secure. If the school wants to do this sort of thing, they need to provide the machines.

They could either buy a set of laptops specifically for exams, or they could buy some low-end machine whose primary function is word processing. Examples are the Dana AlphaSmart and the LaserPC. A simple cold boot will bring them back into a known configuration. Buying a few dozen of those may even be cheaper than a site license for the "Extegrity" software.